Академический Документы
Профессиональный Документы
Культура Документы
Figure 1. Risk management process [4]
After having defined the problem, the first step in PROMETHEE & GAIA method is
defining the objective, which is the choice of an optimal security standard. Furthermore, it is
necessary to define criteria and alternatives, ISO 27005, NIST SP 800-30 & OCTAVE, which
will be shortly described.
ISO/IEC 27005:2008
ISO/IEC 27005:2008 is applicable to all types of organizations (e.g. commercial
enterprises, government agencies, non-profit organizations) which intend to manage risks that
could compromise the organizations information security. ISO 27005 is widely accepted
methodology and it covers technology, people and process in risk assessment. Risk
assessment is defined through identification, estimation and evaluation. The framework of
ISO 27005 consists of two elements risk analysis and risk evaluation. ISO/IEC
27002:2005 Code of practice for information security management recommends to examine
the following during a risk assessment: security policy, organization of information security,
asset management, human resources security, physical and environmental security,
communications and operations management, access control, information systems acquisition,
development and maintenance, information security incident management, business
continuity management and regulatory compliance. [5]
NIST SP 800- 30
The purpose of NIST SP 800-30 is to provide guidance for conducting risk
assessments of federal information systems and organizations. Risk assessments, carried out
at all three tiers in the risk management hierarchy, are part of an overall risk management
process providing senior leaders/executives with the information needed to determine
appropriate courses of action in response to identified risks. It provides guidance for carrying
out each of the steps in the risk assessment process (i.e., preparing for the assessment,
conducting the assessment, communicating the results of the assessment, and maintaining the
assessment) and how risk assessments and other organizational risk management processes
complement and inform each other. Special Publication 800-30 also provides guidance to
organizations on identifying specific risk factors to monitor on an ongoing basis, so that
organizations can determine whether risks have increased to unacceptable levels (i.e.,
exceeding organizational risk tolerance) and different courses of action should be taken. [7]
NIST SP 800-30 is most suited for technology related risk assessment aligned with common
criteria. The risk assessment methodology encompasses nine primary steps: System
Characterization, Threat Identification, Vulnerability Identification, Control Analysis,
Likelihood Determination, Impact Analysis, Risk Determination, Control Recommendations
and Results Documentation. According to NIST SP 800-30, risk assessment is the analysis of
threats in conjunction with vulnerabilities and existing controls.
OCTAVE
OCTAVE is a set of tools, techniques and methods for risk assessment and strategic
planning of information security. OCTAVE is an acronym of the following English words: O
= Operationally, C = Critical, T = Threat, A = Asset, VE = Vulnerability Evaluation.
According to OCTAVE standard, a risk assessment will provide information necessary
for making risk managment decisions regarding the degree of security remediation. OCTAVE
methods are founded on the OCTAVE criteria, a standard approach for a risk-driven and
practice-based information security evaluation. The OCTAVE criteria establish the
fundamental principles and attributes of risk management that are used by the OCTAVE
methods. The OCTAVE methods are self-directed, which means that small teams of
organizational personnel across business units and IT work together to address the security
needs of the organization. They are also flexible, which means that each method can be
tailored to the organization's unique risk environment, security and resiliency objectives, and
skill level. Another important feature of OCTAVE methods is that they are evolved, which
means that OCTAVE moved the organization toward an operational risk-based view of
security and addresses technology in a business context.
After defining and describing the alternatives, it is necessary to define criteria. There
were 7 criteria, which will be explained below. Although PROMETHEE & GAIA method
enable using quantitative and qualitative criteria, cost was intentionally left out as a
quantitative value. It is one of the most important criteria, but it depends on the scope of
implementation and the size of the organization. The qualitative criteria were compared.
Information gathering refers to different methods of data gathering from the employees
(interview, questionnaire etc.).
Simplicity of use. It evaluates whether the method is applicable for the organization and
whether the method can be adapted for needs of a specific field. It also describes the amount
of human and technical resources necessary for implementation.
Spread of use. This criterion evaluates the importance of maturity of the standard as a
selection criterion. It encompasses the spread of use of the method, such as how long the
method exists, how often it is updated and its geographical spread of use, along with
availability of open market or licensed consultants.
Software and Tools. This criterion evaluates the availability of software and tools which are
necessary for the implementation.
Documentation. It refers to available documentation, available helplines, manuals and
instruction guides.
Risk assessment. It evaluates how well the standard solves identification, analysis and
evaluation of risks.
Risk treatment. It involves selecting and implementing measures to modify risk. Risk
treatment measures can include avoiding, optimizing, transferring or retaining risk.
Each criterion was explained in a verbal scale, that is, through the following values:
very bad, bad, average, good and very good.
Verbal scale
Very bad
Bad
Average
Good
Very good
Table 1. Verbal scale
Figure 3 shows that the PROMETHEE I Partial Ranking is based on the comparison of
the leaving flow (Phi+) and the entering flow (Phi-). The left column corresponds to the Phi+
scores and the right column to the Phi- scores. They are oriented such that the best scores are
upwards. This way the middle column corresponds to the net flow (Phi- scores). On the left
side you can see the ranking of the actions according to Phi+.On the right side you can see the
ranking of the actions according to Phi-. For each action a line is drawn from its Phi+ score to
its Phi- score.
When a line is completely on top of another one, it means that the corresponding
action is better on both Phi+ and Phi-. This action is thus preferred to the other in the
PROMETHEE I Partial Ranking.
Figure 4 indicates that the percentage of information retained in the GAIA display is
shown. A color code is used to differentiate results: green indicates a satisfying quality level
while red corresponds to a too low level.
Conclusion
The abovementioned standards differ from each other in various organizational and
technical aspects, such as methodology, human resources and software tools. The
PROMETHEE-GAIA methodology, which was used in this paper, has several advantages in
relation to some other methods of multiple criteria because it provides a complete ranking of
alternatives (from best to worst) and criteria and alternative analysis. The paper has shown
that this method can help us choose optimal security standard. In this case, it turned out to be
ISO 27005.
Literature
[1] PROMETHEE & GAIA method,http://homepages.ulb.ac.be/~bmaresc/PROMETHEE.htm
[2] Prvulovic S. et al.: Application of Promethee-Gaia Methodology in the Choice of Systems for Drying PaltrySeeds and Powder Materials, Strojniki vestnik - Journal of Mechanical Engineering 57(2011)10, p. 778-784
[3] D-Sight PROMETHEE & GAIA Methodology, http://www.d-sight.com/learning-center/promethee-gaiasoftware
[4] Preference ranking organization method for enrichment evaluation,
http://en.wikipedia.org/wiki/Preference_ranking_organization_method_for_enrichment_evaluation
[5] COMPARISON BETWEEN ISO 27005, OCTAVE & NIST SP 800-30,
http://sisainfosec.com/blog/comparison-between-iso-27005-octave-nist-sp-800-30-2/
[6] Gary Stoneburner, Alice Goguen, and Alexis Feringa: Risk Management Guide for Information Technology
Systems, NIST Special publication 800-30
[7] Guide for Conducting Risk Assessments, NIST, September 2012,
http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf